{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-032.pdf"
    },
    "title": "UPDATE: Critical Vulnerability Affecting F5 Devices",
    "serial_number": "2022-032",
    "publish_date": "05-05-2022 12:17:00",
    "description": "On the 4th or May 2022, F5 released several patches addressing 43 vulnerabilities, including one identified as critical - CVE-2022-1388. This vulnerability has the CVSS score of 9.8 out of 10, and it may allow an unauthenticated attacker with network access to the iControl REST interface to execute arbitrary system commands, create or delete files, and disable services.<br>On the 9th of May 2022, Horizon3 - along with other groups - released a proof-of-concept exploit. Moreover, there was an increase of exploitation attempts in the last few days. We advice you to patch as quickly as possible and restrict the access to the F5 BIG-IP management interface only to authorised people.",
    "url_title": "2022-032",
    "content_markdown": "---\ntitle: 'Critical Vulnerability Affecting\u00a0F5\u00a0Devices'\nversion: '1.1'\nnumber: '2022-032'\ndate: 'May 10, 2022'\n---\n\n_History:_\n\n* _05/05/2022 --- v1.0 -- Initial publication_\n* _10/05/2022 --- v1.1 -- Updated with information about active exploitation_\n\n# Summary\n\nOn the 4th or May 2022, F5 released several patches addressing 43 vulnerabilities [1], including one identified as **critical** - CVE-2022-1388 [2]. This vulnerability has the CVSS score of 9.8 out of 10, and it may allow an unauthenticated attacker with network access to the iControl REST interface to execute arbitrary system commands, create or delete files, and disable services [2].\n\nOn the 9th of May 2022, Horizon3 - along with other groups - released a proof-of-concept exploit [3]. Moreover, there was an increase of exploitation attempts in the last few days. We advice you to patch as quickly as possible and restrict the access to the F5 BIG-IP management interface only to authorised people.\n\n# Technical Details\n\nAn attacker with network access to the BIG-IP system through the management port and/or self IP addresses may bypass iControl REST authentication. As stated in the advisory [2], there is no data plane exposure, this vulnerability is a control plane issue only.\n\n# Affected Products\n\n* BIG-IP:\n  * 16.1.0 - 16.1.2, \n  * 15.1.0 - 15.1.5, \n  * 14.1.0 - 14.1.4, \n  * 13.1.0 - 13.1.4, \n  * 12.1.0 - 12.1.6, \n  * 11.6.1 - 11.6.5. \n* Other F5 products such as BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are not vulnerable.\n\nTo get more detail, please consult the table available on F5 advisory [2].\n\n# Recommendations\n\nApply the patches as soon as possible. CVE-2022-1388 patches have been introduced in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5.\nFor the versions 11 and 12 there is no patch available and they will not be fixed.\n\nUpdate: You may check for any unauthorised actions in at least the following two locations:\n- /var/log/audit\n- /var/log/restjavad-audit.0.log\n\nIn case of a confirmed compromise, we advise you to rebuild the BIG-IP devices from scratch, and change the internal certificates and passwords.\n\n## Workarounds\n\nThere are temporary workarounds that can be applied until it is possible to install a fixed version, such as:\n\n* block iControl REST access through the self IP address,\n* block iControl REST access through the management interface,\n* modify the BIG-IP httpd configuration.\n\nMore details can be found in the advisory [2].\n\n# References\n\n[1] <https://support.f5.com/csp/article/K55879220>\n\n[2] <https://support.f5.com/csp/article/K23605346>\n\n[3] <https://github.com/horizon3ai/CVE-2022-1388>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>05/05/2022 --- v1.0 -- Initial publication</em></li><li><em>10/05/2022 --- v1.1 -- Updated with information about active exploitation</em></li></ul><h2 id=\"summary\">Summary</h2><p>On the 4th or May 2022, F5 released several patches addressing 43 vulnerabilities [1], including one identified as <strong>critical</strong> - CVE-2022-1388 [2]. This vulnerability has the CVSS score of 9.8 out of 10, and it may allow an unauthenticated attacker with network access to the iControl REST interface to execute arbitrary system commands, create or delete files, and disable services [2].</p><p>On the 9th of May 2022, Horizon3 - along with other groups - released a proof-of-concept exploit [3]. Moreover, there was an increase of exploitation attempts in the last few days. We advice you to patch as quickly as possible and restrict the access to the F5 BIG-IP management interface only to authorised people.</p><h2 id=\"technical-details\">Technical Details</h2><p>An attacker with network access to the BIG-IP system through the management port and/or self IP addresses may bypass iControl REST authentication. As stated in the advisory [2], there is no data plane exposure, this vulnerability is a control plane issue only.</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>BIG-IP: <ul><li>16.1.0 - 16.1.2, </li><li>15.1.0 - 15.1.5, </li><li>14.1.0 - 14.1.4, </li><li>13.1.0 - 13.1.4, </li><li>12.1.0 - 12.1.6, </li><li>11.6.1 - 11.6.5. </li></ul></li><li>Other F5 products such as BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are not vulnerable.</li></ul><p>To get more detail, please consult the table available on F5 advisory [2].</p><h2 id=\"recommendations\">Recommendations</h2><p>Apply the patches as soon as possible. CVE-2022-1388 patches have been introduced in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5. For the versions 11 and 12 there is no patch available and they will not be fixed.</p><p>Update: You may check for any unauthorised actions in at least the following two locations: - /var/log/audit - /var/log/restjavad-audit.0.log</p><p>In case of a confirmed compromise, we advise you to rebuild the BIG-IP devices from scratch, and change the internal certificates and passwords.</p><h3 id=\"workarounds\">Workarounds</h3><p>There are temporary workarounds that can be applied until it is possible to install a fixed version, such as:</p><ul><li>block iControl REST access through the self IP address,</li><li>block iControl REST access through the management interface,</li><li>modify the BIG-IP httpd configuration.</li></ul><p>More details can be found in the advisory [2].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.f5.com/csp/article/K55879220\">https://support.f5.com/csp/article/K55879220</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.f5.com/csp/article/K23605346\">https://support.f5.com/csp/article/K23605346</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/horizon3ai/CVE-2022-1388\">https://github.com/horizon3ai/CVE-2022-1388</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}